CN114884749B - Network security situation perception method based on artificial intelligence - Google Patents

Network security situation perception method based on artificial intelligence Download PDF

Info

Publication number
CN114884749B
CN114884749B CN202210784685.8A CN202210784685A CN114884749B CN 114884749 B CN114884749 B CN 114884749B CN 202210784685 A CN202210784685 A CN 202210784685A CN 114884749 B CN114884749 B CN 114884749B
Authority
CN
China
Prior art keywords
target
uplink flow
access
flow
connection number
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210784685.8A
Other languages
Chinese (zh)
Other versions
CN114884749A (en
Inventor
田常立
王晨
陈倩
张垒
周志远
田艳艳
刘茂宽
赵立勋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhilian Xintong Technology Co ltd
Original Assignee
Zhilian Xintong Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhilian Xintong Technology Co ltd filed Critical Zhilian Xintong Technology Co ltd
Priority to CN202210784685.8A priority Critical patent/CN114884749B/en
Publication of CN114884749A publication Critical patent/CN114884749A/en
Application granted granted Critical
Publication of CN114884749B publication Critical patent/CN114884749B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/142Network analysis or design using statistical or mathematical methods
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Algebra (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Mathematical Physics (AREA)
  • Probability & Statistics with Applications (AREA)
  • Pure & Applied Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to the technical field of artificial intelligence, in particular to a network security situation perception method based on artificial intelligence. The method comprises the steps of obtaining the connection number, the access duration, the access times, an uplink flow sequence and the total uplink flow of each target IP; calculating an access behavior evaluation index of the target IP based on the access times, the access duration and the uplink flow sequence; analyzing the uplink flow to obtain the flow distribution score of each target IP; obtaining a behavior forgiveness coefficient according to the connection number and the flow distribution score; and obtaining the maximum connection number and the maximum uplink flow of the target IP according to the access behavior evaluation index, the behavior forgiveness coefficient and the uplink flow. The embodiment of the invention obtains the maximum connection number and the maximum uplink flow corresponding to each target IP by analyzing the connection number, the uplink flow and the access time of the target IP, avoids being attacked by DDoS by limiting the connection number and the uplink flow of the target IP and realizes the purpose of sensing the network security situation.

Description

Network security situation perception method based on artificial intelligence
Technical Field
The invention relates to the technical field of artificial intelligence, in particular to a network security situation perception method based on artificial intelligence.
Background
The network security situation perception is that in a large-scale network environment, security elements which can cause network situation changes are acquired, understood and displayed, and the future network security development trend is predicted according to the security elements. With the rapid development of computer technology, services processed on computers are also developed from stand-alone-based mathematical operations, file processing, internal service processing based on simply connected internal networks, office automation, and the like to enterprise-level computer processing systems based on complex internal networks, extranets, and the global internet, and worldwide information sharing and service processing. The processing capacity of the system is improved, and meanwhile, the connection capacity of the system is also continuously improved. However, as the connection capability information and the connectivity capability are improved, the security problem of network connection is becoming more and more prominent.
With the continuous growth of network scale and the increasing complexity of network structure, more users currently have internal infrastructure. In recent years, a user uses a public cloud, an internal computing cloud and a private cloud in a data center in a mixed manner, storage and computing and even the whole service can be reserved in an internal basic mechanism, and network resources of cloud services can be enabled to be rapidly brought online and rapidly delivered by using services of an intranet. Network security situation aware services are difficult to optimize for dedicated loads. Therefore, in the eyes of users, the mixed cloud configuration is simple, the threshold is low, and the users can enjoy the experience like an intranet only by accessing the reverse proxy domain name of the public cloud outlet. Therefore, a resource cannot be effectively allocated, and the DDoS attack is more easily suffered. Since the resource occupation of the public cloud outlets by different users is unknown after connection, the end user experience is mutually affected. One of the users may use a multi-thread download tool and a DDoS tool to make the network suffer from DDoS attack, which causes the party to substantially encroach on bandwidth resources more, and the encroachment on the bandwidth resources is mainly reflected in that the number of connections of the target IP of the user is too large and the upstream traffic of the target IP is too large.
Currently, the common method is to simply limit the traffic of the connection, and to be able to perform bandwidth limitation on the target IP based on automatic configuration. However, it is not effective to perform bandwidth limitation on all IPs in advance, because in the case of establishing multiple connected clients such as DDoS and multi-thread download, it is not possible to effectively limit resources of an IP only by performing bandwidth limitation on a target IP.
Disclosure of Invention
In order to solve the above technical problems, an object of the present invention is to provide a network security situation awareness method based on artificial intelligence, and the adopted technical scheme is as follows:
acquiring the number of connections established between each target IP and the public cloud, the access duration of each target IP, the uplink flow sequence of each target IP and the corresponding total uplink flow;
acquiring the number of access duration of each target IP as access times; calculating to obtain an access behavior evaluation index of the target IP based on the access times, the access duration and the fluctuation degree of the uplink flow sequence; analyzing each target IP based on the total uplink flow to obtain a flow distribution score and a distribution probability of each target IP; obtaining a difference coefficient according to the difference between the connection number corresponding to the target IP and the median value in the connection number sequence; the product of the difference coefficient and the absolute value of the traffic distribution score is used as a behavioral forgiveness coefficient;
acquiring network anomaly evaluation of a target IP based on the fluctuation degree and the access duration of the uplink flow sequence; and when the network anomaly evaluation is greater than a preset anomaly threshold value, obtaining the maximum connection number of the target IP according to the access behavior evaluation index and the behavior forgiveness coefficient, and obtaining the maximum uplink flow of the target IP according to the difference between the behavior forgiveness coefficient, the real-time uplink flow and the standard uplink flow.
Preferably, the calculating the access behavior evaluation index of the target IP based on the access times, the access duration, and the fluctuation degree of the uplink traffic sequence includes:
acquiring a difference value between the uplink flow and a preset standard uplink flow as a fluctuation difference value; taking the mean value of the squares of a plurality of fluctuation difference values as the fluctuation degree of the uplink flow rate sequence;
the calculation formula of the access behavior evaluation index is as follows:
Figure DEST_PATH_IMAGE001
wherein the content of the first and second substances,
Figure 591091DEST_PATH_IMAGE002
evaluating an index for the access behavior;
Figure 836128DEST_PATH_IMAGE003
the number of the accesses is the number of the accesses;
Figure 553548DEST_PATH_IMAGE004
an ith access duration; tanh () is a hyperbolic tangent function;
Figure 401287DEST_PATH_IMAGE005
the fluctuation degree of the uplink flow sequence;
Figure 153343DEST_PATH_IMAGE006
is a first adjustment parameter.
Preferably, the analyzing each target IP based on the total uplink traffic to obtain a traffic distribution score and a distribution probability of each target IP includes:
and performing cold and hot point analysis on each target IP based on the total uplink flow of each target IP to obtain the flow distribution score and the distribution probability of each target IP.
Preferably, the obtaining a difference coefficient according to a difference between the connection number corresponding to the target IP and a median value in the connection number sequence includes:
acquiring a median value in the connection number sequence; subtracting one from the ratio of the connection number corresponding to the target IP and the median value to obtain an initial difference value; taking the absolute value of the second adjusting parameter and the initial difference value as a second difference value;
and taking ten as a base number, and taking an exponential function with the second difference value as an exponent as a difference coefficient corresponding to the target IP.
Preferably, the obtaining of the network anomaly evaluation of the target IP based on the fluctuation degree and the access duration of the uplink traffic sequence includes:
the calculation formula of the network anomaly evaluation is as follows:
Figure 434194DEST_PATH_IMAGE007
wherein the content of the first and second substances,
Figure 638911DEST_PATH_IMAGE008
evaluating the network anomaly;
Figure 290341DEST_PATH_IMAGE009
is a function of the maximum;
Figure 896903DEST_PATH_IMAGE010
is a sign function;
Figure 218163DEST_PATH_IMAGE011
is a hyperbolic tangent function;
Figure 159443DEST_PATH_IMAGE012
is a mean function;
Figure 99717DEST_PATH_IMAGE013
real-time uplink traffic;
Figure 810053DEST_PATH_IMAGE014
the flow is a preset standard uplink flow;
Figure 177580DEST_PATH_IMAGE006
is a first adjustment parameter;
Figure 606156DEST_PATH_IMAGE015
is a third adjustment parameter;
Figure 818963DEST_PATH_IMAGE016
a first access duration;
Figure 914964DEST_PATH_IMAGE017
standard first segment access duration.
Preferably, the obtaining the maximum number of connections of the target IP according to the access behavior evaluation index and the behavior forgiveness coefficient includes:
acquiring the historical maximum connection number corresponding to the target IP;
taking a natural constant as a base number, taking the negative behavior forgiveness coefficient as an index function of an index, multiplying the access behavior evaluation index to obtain a first weight, wherein the sum of the first weight and one is a second weight, and multiplying the reciprocal of the second weight and the historical maximum connection number to obtain a first connection number;
multiplying the preset adjusting parameter by the historical maximum connection number to obtain a second connection number;
and acquiring a smaller numerical value of the first connection number and the second connection number as the maximum connection number of the target IP.
Preferably, the obtaining the maximum uplink flow of the target IP according to the difference between the behavior forgiveness coefficient, the real-time uplink flow and the standard uplink flow includes:
presetting the difference between the standard uplink flow and the real-time uplink flow as a fluctuation difference value;
taking a natural constant as a base, taking the negative behavior forgiveness coefficient as an index function of an index, and multiplying the fluctuation difference value to obtain an adjusted uplink flow; and the sum of the real-time uplink flow and the adjusted uplink flow is the maximum uplink flow of the target IP.
The embodiment of the invention at least has the following beneficial effects:
the invention uses artificial intelligence technique to obtain the connection number, access time, access times, uplink flow sequence and corresponding total uplink flow of each target IP; calculating to obtain an access behavior evaluation index of the target IP based on the access times, the access duration and the fluctuation degree of the uplink flow sequence, and judging whether the user has a resource wasting behavior or not according to the size of the access behavior evaluation index; analyzing each target IP to obtain the flow distribution score and the distribution probability of each target IP; obtaining a behavior forgiveness coefficient according to the connection number and the flow distribution score corresponding to the target IP, analyzing the abnormal degree of the target IP through the behavior forgiveness coefficient, and when the target IP is abnormal, namely a waste situation occurs, the corresponding behavior forgiveness coefficient is large; acquiring network anomaly evaluation of a target IP based on the fluctuation degree and the access duration of the uplink flow sequence; and when the network anomaly evaluation is greater than a preset anomaly threshold value, obtaining the maximum connection number of the target IP according to the access behavior evaluation index and the behavior forgiveness coefficient, and obtaining the maximum uplink flow of the target IP according to the difference between the behavior forgiveness coefficient, the real-time uplink flow and the standard uplink flow. The embodiment of the invention analyzes the abnormal degree of the target IP by analyzing the connection number, the size of the uplink flow and the access duration of the target IP to obtain the access behavior evaluation index and the behavior forgiveness coefficient, and further obtains the maximum connection number and the maximum uplink flow corresponding to each target IP to limit the connection number and the uplink flow of the target IP so as to avoid the DDoS attack and further realize the purpose of sensing the network security situation.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions and advantages of the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 is a flowchart of a method for sensing network security situation based on artificial intelligence according to an embodiment of the present invention.
Detailed Description
To further illustrate the technical means and effects of the present invention adopted to achieve the predetermined objects, the following detailed description of the network security situation awareness method based on artificial intelligence according to the present invention, its specific implementation, structure, features and effects will be given below with reference to the accompanying drawings and preferred embodiments. In the following description, the different references to "one embodiment" or "another embodiment" do not necessarily refer to the same embodiment. Furthermore, the particular features, structures, or characteristics may be combined in any suitable manner in one or more embodiments.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs.
The embodiment of the invention provides a concrete implementation method of a network security situation perception method based on artificial intelligence, which is suitable for a network security situation perception scene. Each user corresponds to one target IP in the scene, connection is established between each target IP and the public cloud, multiple connections can be established between one target IP and the public cloud, and each target IP corresponds to one total uplink flow. The method aims to solve the problem that the resource cannot be effectively limited only by limiting the flow. The embodiment of the invention analyzes the abnormal degree of the target IP by analyzing the connection number, the size of the uplink flow and the access duration of the target IP to obtain the access behavior evaluation index and the behavior forgiveness coefficient, and further obtains the maximum connection number and the maximum uplink flow corresponding to each target IP to limit the connection number and the uplink flow of the target IP so as to avoid the DDoS attack and further realize the purpose of sensing the network security situation.
The following describes a specific scheme of the network security situation awareness method based on artificial intelligence in detail with reference to the accompanying drawings.
Referring to fig. 1, a flowchart illustrating steps of a method for sensing network security situation based on artificial intelligence according to an embodiment of the present invention is shown, where the method includes the following steps:
step S100, acquiring the number of connections established between each target IP and the public cloud, the access duration of each target IP, the uplink flow sequence of each target IP and the corresponding total uplink flow.
Common data access is services like remote databases of the internet of things, home-office cloud desktops, video monitoring transmission and the like, and the common characteristic of the common data access is that the traffic is continuously consumed but is discontinuous in time. Such network security posture perception is weak because there are no obvious features in behavior, and such a hybrid cloud is the most convenient and most widely used.
First, the number of connections established between each target IP and the public cloud is obtained.
Since the target IP and the demand for using the service are different, the number of connections required for the service to connect is different when the access is finally made. To achieve the goals of throttling and preventing distributed denial of service attacks (DDoS), it is necessary to detect and control the establishment of the number of connections between the target IP and the public cloud. It should be noted that the acquisition of the number of connections established between the target IP and the public cloud is a technique well known to those skilled in the art.
When the Packet Per Second (PPS) is low during access, the user may unconsciously adjust the retry ratio to a high request amount. In the case of poor network quality, most network resources are used to increase the amount of packets processed per second of the IP, which is very desirable for this case. However, if there is still a high amount of requests in the case of a high amount of packets processed per second, it may be regarded as a waste, and there may be multiple connections or a distributed denial of service attack, which needs to be controlled.
The distributed acquisition is used for acquiring the flow, the whole public network server analyzes the flow aiming at each target IP to form a mesh structure, and the uplink flow information of each target IP is acquired. And acquiring uplink flow sequences and total uplink flow corresponding to the multiple target IPs based on the distribution condition of the target IPs. Specifically, the method comprises the following steps:
the traffic flows out after being adjusted by the user according to the service content, for example, the image quality of the remote desktop, the code rate of the video, and the like, and since the comfort of each person is different, the finally generated traffic at the uplink outlet may be different. If the flow rate flowing out from a certain position is abnormally high or low and the duration time is longer, the problem that the use of the current target IP is wasted can be explained to a certain extent. And acquiring the uplink flow at each uplink outlet in a fixed time period. It should be noted that the acquisition of the upstream traffic is a known technique of those skilled in the art, and can be obtained through a logging tool embedded in the LoadBalance service. Namely, the size of the uplink flow when the service is in progress is obtained.
And detecting the uplink flow of the user for a long time, namely acquiring the change condition of the uplink flow from the beginning to the end of the access of the user, acquiring the uplink flow corresponding to each target IP once every fixed time period, and constructing an uplink flow sequence. In the embodiment of the present invention, the sampling frequency of the uplink flow sequence is 0.2Hz, that is, the fixed time period is 5 seconds, that is, the magnitude of the uplink flow is acquired every 5 seconds. Each target IP corresponds to one uplink flow sequence, and the sum of uplink flows in the uplink flow sequence corresponding to the target IP is the total uplink flow of the target IP.
Further, the time length of each access of each target IP is determined.
Generally, in the access process, a user may rest or make a service enter a suspended state, such as the behavior of service suspension, such as the operation period time suspension of a remote desktop and video streaming, and if the service is always in the access state, it is considered that a network resource is wasted in a current target IP, such as a distributed denial of service attack (DDoS). When the access time is in an intermittent state, the current user is in an intermittent access state, and the current user is considered to be in a normal use state.
Because the access is started by performing related operations after logging in, the access can be used as a starting judgment state to count the access duration of the user. It should be noted that the access duration sequence is a time data generated when a user turns on and off, i.e. logs in and logs out, multiple times. And determining the access duration data once every time the user logs in and logs out.
Step S200, acquiring the number of access duration of each target IP as the access times; calculating to obtain an access behavior evaluation index of the target IP based on the access times, the access duration and the fluctuation degree of the uplink flow sequence; analyzing each target IP based on the total uplink flow to obtain a flow distribution score and a distribution probability of each target IP; obtaining a difference coefficient according to the difference between the connection number corresponding to the target IP and the median value in the connection number sequence; and the product of the difference coefficient and the absolute value of the traffic distribution score is used as a behavioral forgiveness coefficient.
And evaluating the access behavior of the user to obtain an access behavior evaluation index. The access behavior comprises access times, access duration and fluctuation degree of an uplink traffic sequence. Furthermore, based on the uplink flow of each target IP, the current uplink flow is properly controlled by combining the current access behavior evaluation indexes of each user, so as to achieve the throttling purpose.
Firstly, the number of access duration of each target IP is obtained as the number of access times, that is, the length of the access duration sequence is obtained as the number of access times. The larger the access times, the more frequent the access and exit of the user to the service are reflected, and the importance degree of the user to the network resource is also explained.
If the user does not close the connection from the beginning to the end, which may be caused by downloading tools or long-time transmission, there is a behavior of network resource waste, so the access behavior of the user is evaluated based on the access duration and the access times of the user during access and the size of the uplink traffic corresponding to the target IP. If the uplink traffic use data of the user is in an improper interval and is stable for a long time, the DDoS condition can be judged, and the attack or abuse motivation of the user can be determined.
Calculating to obtain an access behavior evaluation index of the target IP based on the access times, the access duration and the fluctuation degree of the uplink flow sequence, specifically:
and acquiring a difference value between the uplink flow and a preset standard uplink flow as a fluctuation difference value, and taking the mean value of squares of a plurality of fluctuation difference values as the fluctuation degree of the uplink flow sequence. In the embodiment of the invention, the value of the preset standard uplink flow is 2Mbps, and in other embodiments, an implementer can adjust the value according to the actual situation.
The access behavior evaluation index
Figure 187813DEST_PATH_IMAGE002
The calculation formula of (2) is as follows:
Figure 838106DEST_PATH_IMAGE018
wherein the content of the first and second substances,
Figure 120183DEST_PATH_IMAGE003
is the number of visits;
Figure 799252DEST_PATH_IMAGE004
an ith access duration; tanh () is a hyperbolic tangent function;
Figure 508582DEST_PATH_IMAGE005
the fluctuation degree of the uplink flow sequence;
Figure 646171DEST_PATH_IMAGE006
is the first adjustment parameter. In the embodiment of the present invention, the value of the first adjustment parameter is 0.03, and in other embodiments, an implementer may adjust the value according to an actual situation.
Wherein the content of the first and second substances,
Figure 466360DEST_PATH_IMAGE019
the sum of the access time length reflects the total access time length of the current access of the user, the smaller the total access time length is, the stronger the throttling consciousness of the user can be reflected, and the current waste of resources is less.
Wherein the content of the first and second substances,
Figure 412319DEST_PATH_IMAGE020
the change condition of the uplink flow of the user during access is reflected, the uplink flow of the user in the whole access process is compared with the preset standard uplink flow, and whether the behavior of wasting resources exists is determined. The hyperbolic tangent function realizes the normalization processing of data.
It should be noted that the access behavior evaluation index may be obtained through related historical data, and in order to avoid a situation that final evaluation is too conservative due to rapid transition of user behavior, the historical data only refers to data of the last three times, obtains access behavior evaluation indexes corresponding to three pieces of historical data, and then averages the access behavior evaluation indexes. And obtaining the access behavior evaluation index corresponding to each target IP.
The user group of the hybrid cloud is mainly in a city or a province, and as the performance of the backbone network is also maintained according to the sector, the performance of the sector users to service access is poor due to temporary overload of the backbone network of a sector, so that analysis and division can be performed according to the sector:
if the public cloud flows are all consistent, namely, the public cloud flows are all flow of a certain proper access, the access flows of all the access target IPs are reasonably close to each other at this time, and if one region has a low bandwidth, the service of a user establishes multiple connections, the situation can be forgiveness to a certain degree, subsequent throttling is restricted, and the use experience of the user is better.
And analyzing each target IP based on the total uplink flow to obtain the flow distribution score and the distribution probability of each target IP.
Specifically, the method comprises the following steps: and performing cold and hot point analysis on each target IP based on the total uplink flow of each target IP to obtain the flow distribution score and the distribution probability of each target IP. The purpose of using the cold and hot spot analysis is to avoid the abnormal flow in a single area, namely, the poor quality of a user network is possible, so that the system misjudges the uplink flow of the current target IP. The cold and hot spot analysis can make a more detailed analysis of the distribution of the upstream traffic with reference to nearby upstream traffic.
Wherein, the evaluation field is set as the per second processing packet volume (PPS) of the current public cloud part, and the conceptualization model is an inverse distance model. The distance calculation method is a Euclidean distance, the spatial weight matrix is standardized, and the others are kept in default. The spatial weight matrix is determined by an implementer according to public cloud structure distribution and the target IP weight is determined by the implementer according to the public cloud structure distribution. In the embodiment of the invention, the weight of the target IP of the short-distance parcel is set as 1, and the weight of the target IP of the long-distance parcel is set as 0.3, wherein, based on the information of the operator, the target IP of the same port is not considered as the target IP of the long distance according to the output port division of the OLT, or the geographic fence is defined in the registered IP address range, the target IP of the long distance is beyond the range and is considered as the target IP of the short distance, otherwise, the target IP of the short distance is considered as the target IP of the short distance. The inverse distance model is a model commonly used in cold and hot spot analysis, and is a known technique of those skilled in the art.
Finally, according to the acquired flow data set, relevant parameters including the current flow distribution score Z, the distribution probability P and the confidence coefficient of the current score are returned.
When the flow distribution score of the target IP is larger than 1, the target IP is reflected to be surrounded by a high value, a high value cluster is presented, and therefore, the distribution characteristic of regional space aggregation with higher flow is formed, and conversely, when the flow distribution score of the target IP is smaller than-1, the target IP is reflected to be surrounded by a low value, a low value cluster is presented, and therefore, the distribution characteristic of regional space aggregation with lower flow is formed. Wherein, the flow distribution score Z obeys the statistical normal distribution characteristic, that is, when the flow distribution score is 0, the distribution probability P is maximum. The flow distribution score Z needs to be further set by the implementer based on the actual layout of the current public cloud and long-term observation data, so that the current flow abnormal region can be found.
When the target IP is more abnormal, the absolute value of the corresponding flow distribution score Z is larger, wherein the sign of the flow distribution score represents the direction of the cold and hot spot, that is, represents the difference between the current flow and the hot spot.
Due to the difference of link deployment of target IP distribution, the uplink flow of each target IP will form an obvious difference, and due to maintenance and the like, the difference will also form a difference when the data of each service outlet is different, and at the same time, the difference will also change with the number of service openings, and is a factor that cannot be controlled, and therefore, the difference will also be used as an influencing factor of the behavior forgiveness coefficient.
And analyzing the uplink flow of all the target IPs to obtain the difference coefficient of the uplink flow of each target IP. And obtaining a difference coefficient according to the difference between the connection number corresponding to the target IP and the median in the connection number sequence. Specifically, the method comprises the following steps:
obtaining a median value in the connection number sequence, and subtracting one from the ratio of the connection number corresponding to the target IP to the median value to be used as an initial difference value; and taking the absolute values of the second adjusting parameter and the initial difference value as a second difference value. And taking an exponential function with the base number of ten and the second difference value as an index as a difference coefficient corresponding to the target IP.
The coefficient of difference
Figure 541818DEST_PATH_IMAGE021
The calculation formula of (2) is as follows:
Figure 183015DEST_PATH_IMAGE022
wherein the content of the first and second substances,
Figure 56162DEST_PATH_IMAGE023
the number of connections of the ith target IP;
Figure 466414DEST_PATH_IMAGE024
the connection number sequences correspond to all target IPs of the public cloud;
Figure 766815DEST_PATH_IMAGE025
is the median value in the sequence of the number of connections;
Figure 285521DEST_PATH_IMAGE026
is the second adjustment parameter. In the embodiment of the present invention, the value of the second adjustment parameter is 10, and in other embodiments, an implementer may adjust the value according to an actual situation.
When the connection number corresponding to the target IP is similar to the median of the connection numbers corresponding to all the target IPs in the public cloud and the size of the connection number is close to 1, the promptness of the access behavior is low when a waste event occurs.
And taking the product of the difference coefficient and the absolute value of the flow distribution score as the behavioral forgiveness coefficient. Wherein the flow distribution score represents a difference evaluation score of the public cloud flow distribution. Since the flow distribution score has a direction, the flow distribution score is processed in absolute value. When the difference coefficient and the flow distribution score are lower, the probability that the target IP is a normal IP is higher, and the behavior forgiveness coefficient corresponding to the target IP is smaller; on the contrary, when the difference coefficient and the flow distribution score are higher, the system may perform a certain degree of forgiveness on the access behavior of the current user, and the corresponding behavior forgiveness evaluation is larger.
Step S300, obtaining network abnormal evaluation of the target IP based on the fluctuation degree and the access duration of the uplink flow sequence; and when the network anomaly evaluation is greater than a preset anomaly threshold value, obtaining the maximum connection number of the target IP according to the access behavior evaluation index and the behavior forgiveness coefficient, and obtaining the maximum uplink flow of the target IP according to the difference between the behavior forgiveness coefficient, the real-time uplink flow and the standard uplink flow.
And further judging whether the target IP has abuse behaviors or not by combining the uplink flow of the target IP of each user and the optimal access interval time obtained by analyzing the public cloud big data. Namely, the network anomaly evaluation of the target IP is obtained based on the fluctuation degree and the access duration of the uplink flow sequence.
The network anomaly evaluation
Figure 447512DEST_PATH_IMAGE008
The calculation formula of (2) is as follows:
Figure 695959DEST_PATH_IMAGE027
wherein the content of the first and second substances,
Figure 183572DEST_PATH_IMAGE028
is a maximum function;
Figure 788909DEST_PATH_IMAGE010
is a sign function;
Figure 754591DEST_PATH_IMAGE011
is a hyperbolic tangent function;
Figure 123125DEST_PATH_IMAGE012
is a mean function;
Figure 516060DEST_PATH_IMAGE013
real-time uplink traffic;
Figure 602833DEST_PATH_IMAGE014
the flow is a preset standard uplink flow;
Figure 106627DEST_PATH_IMAGE006
is a first adjustment parameter;
Figure 595246DEST_PATH_IMAGE015
is a third adjustment parameter;
Figure 893503DEST_PATH_IMAGE016
an access duration for a third segment;
Figure 467573DEST_PATH_IMAGE017
standard first segment access duration.
In the embodiment of the present invention, the value of the first adjustment parameter is 0.03, and the value of the third adjustment parameter is 0.8, and in other embodiments, an implementer may adjust the values according to actual conditions. The standard first-period access duration is more appropriate according to the first-period access time obtained by analyzing the big data of the public cloud.
Wherein, in the calculation formula of the network anomaly evaluation,
Figure 775058DEST_PATH_IMAGE029
for measuring the uplink flow, the detection of the uplink flow is performed in real time, and the average value is the average value of all data accessed to the monitoring moment at the beginning of the time.
Figure 118183DEST_PATH_IMAGE030
In order to determine the access duration of the first segment,
Figure 243134DEST_PATH_IMAGE017
and comparing the proper access duration for the first access time, and reflecting the waste behavior of the current target IP if the first access duration is excessively overtime. And correcting the first access duration by using the third adjusting parameter, and reserving certain spare time for the user.
And when the network anomaly evaluation is greater than a preset anomaly threshold value, reflecting that the current user has certain behavior of wasting public cloud bandwidth resources, and immediately taking flow control measures. The maximum connection number of the target IP is obtained according to the network anomaly evaluation and the behavior forgiveness coefficient, and the maximum uplink flow of the target IP is obtained according to the difference between the behavior forgiveness coefficient, the real-time uplink flow and the standard uplink flow. In the embodiment of the present invention, the preset abnormal threshold is 0, and in other embodiments, an implementer may adjust the value according to an actual situation.
And obtaining the maximum connection number of the target IP according to the access behavior evaluation index and the behavior forgiveness coefficient. Specifically, the method comprises the following steps:
and acquiring the historical maximum connection number corresponding to the target IP. And taking a natural constant as a base number, taking the negative behavior forgiveness coefficient as an index function of the index, multiplying the access behavior evaluation index to obtain a first weight, taking the first weight and the first weight as a second weight, and multiplying the reciprocal of the second weight and the historical maximum connection number to obtain a first connection number.
The preset adjusting parameter is multiplied by the maximum connection number to obtain a second connection number. In the embodiment of the present invention, the value of the preset adjustment parameter is 0.4, and in other embodiments, the implementer may adjust the value according to the actual situation.
And acquiring the smaller value of the first connection number and the second connection number as the maximum connection number.
The maximum number of connections
Figure 648707DEST_PATH_IMAGE031
The calculation formula of (2) is as follows:
Figure 150096DEST_PATH_IMAGE032
wherein the content of the first and second substances,
Figure 364040DEST_PATH_IMAGE033
is a minimum function;
Figure 536524DEST_PATH_IMAGE034
is the historical maximum number of connections;
Figure 570340DEST_PATH_IMAGE002
evaluating an index for the access behavior;
Figure DEST_PATH_IMAGE035
is a behavioral forgiveness coefficient;
Figure 672157DEST_PATH_IMAGE036
is a natural constant.
And Min represents the lower limit of the value of the maximum connection number, and the access of the user in the state can be guaranteed under the lower limit.
And further, analyzing and calculating the maximum uplink flow, and obtaining the maximum uplink flow according to the difference between the behavioral forgiveness coefficient, the real-time uplink flow and the standard uplink flow. Specifically, the method comprises the following steps:
and presetting the difference between the standard uplink flow and the real-time uplink flow as a fluctuation difference value.
And taking the natural constant as the base and the negative behavior forgiveness coefficient as an index function of the index, and multiplying the fluctuation difference value to obtain the regulated uplink flow. Real-time uplink flow and adjusting the sum of the uplink flow to be the maximum uplink flow of the target IP.
The maximum upstream flow
Figure 989874DEST_PATH_IMAGE037
The calculation formula of (2) is as follows:
Figure 66415DEST_PATH_IMAGE038
wherein the content of the first and second substances,
Figure 977739DEST_PATH_IMAGE039
real-time uplink traffic;
Figure 414405DEST_PATH_IMAGE014
the flow is a preset standard uplink flow;
Figure 337362DEST_PATH_IMAGE036
is a natural constant;
Figure 834071DEST_PATH_IMAGE035
is a behavioral forgiveness coefficient. In the embodiment of the invention, the value of the preset standard uplink flow is 2Mbps, and the limitation of the preset standard uplink flow is to ensure that an upstream server at the rear end of a mixed cloud does not existIt suffers from a large number of traffic accesses in a short time resulting in service anomalies.
The specific method for adjusting the uplink flow and the connection number comprises the following steps: if the NGINX server is used by the implementer, the imit _ req module is used to approximately scale the request number of the service and the flow and set the request number, for example, the target IP is limited to 100 req/s.
The maximum limitation on the number of connections and the uplink flow is realized, so that the purposes of throttling, abuse prevention and DDoS attack prevention are achieved. That is, the number of connections of the target IP cannot exceed the maximum number of connections, and the uplink traffic cannot exceed the maximum uplink traffic, and the maximum number of connections and the maximum uplink traffic are limited, thereby avoiding the DDoS attack, and further realizing the network security situation awareness.
In summary, the present invention utilizes an artificial intelligence technique, and the method obtains the number of connections established between each target IP and the public cloud, the access duration of each target IP, the uplink traffic sequence of each target IP, and the corresponding total uplink traffic; acquiring the number of access duration of each target IP as access times; calculating to obtain an access behavior evaluation index of the target IP based on the access times, the access duration and the fluctuation degree of the uplink flow sequence; analyzing each target IP based on the total uplink flow to obtain the flow distribution score and the distribution probability of each target IP; obtaining a difference coefficient according to the difference between the connection number corresponding to the target IP and the median value in the connection number sequence; the product of the difference coefficient and the absolute value of the flow distribution score is used as a behavior forgiveness coefficient; acquiring network anomaly evaluation of a target IP based on the fluctuation degree and the access duration of the uplink flow sequence; and when the network anomaly evaluation is greater than a preset anomaly threshold value, obtaining the maximum connection number of the target IP according to the access behavior evaluation index and the behavior forgiveness coefficient, and obtaining the maximum uplink flow of the target IP according to the difference between the behavior forgiveness coefficient, the real-time uplink flow and the standard uplink flow. The embodiment of the invention analyzes the abnormal degree of the target IP by analyzing the connection number, the size of the uplink flow and the access duration of the target IP to obtain the access behavior evaluation index and the behavior forgiveness coefficient, and further obtains the maximum connection number and the maximum uplink flow corresponding to each target IP to limit the connection number and the uplink flow of the target IP so as to avoid the DDoS attack and further realize the purpose of sensing the network security situation.
It should be noted that: the precedence order of the above embodiments of the present invention is only for description, and does not represent the merits of the embodiments. The processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like that fall within the spirit and principle of the present invention are intended to be included therein.

Claims (1)

1. A network security situation perception method based on artificial intelligence is characterized by comprising the following steps:
acquiring the number of connections established between each target IP and the public cloud, the access duration of each target IP, the uplink flow sequence of each target IP and the corresponding total uplink flow;
acquiring the number of access durations of all target IPs as access times; calculating to obtain an access behavior evaluation index of the target IP based on the access times, the access duration and the fluctuation degree of the uplink flow sequence; analyzing each target IP based on the total uplink flow to obtain a flow distribution score and a distribution probability of each target IP; obtaining a difference coefficient according to the difference between the connection number corresponding to the target IP and the median value in the connection number sequence; the product of the difference coefficient and the absolute value of the traffic distribution score is used as a behavioral forgiveness coefficient;
acquiring network anomaly evaluation of a target IP based on the fluctuation degree and the access duration of the uplink flow sequence; when the network anomaly evaluation is larger than a preset anomaly threshold value, obtaining the maximum connection number of the target IP according to the access behavior evaluation index and the behavior forgiveness coefficient, and obtaining the maximum uplink flow of the target IP according to the difference between the behavior forgiveness coefficient, the real-time uplink flow and the standard uplink flow;
the method for acquiring the access behavior evaluation index of the target IP comprises the following steps: acquiring a difference value between the uplink flow and a preset standard uplink flow as a fluctuation difference value; taking the mean value of the squares of a plurality of fluctuation difference values as the fluctuation degree of the uplink flow rate sequence;
the calculation formula of the access behavior evaluation index is as follows:
Figure 315666DEST_PATH_IMAGE002
wherein the content of the first and second substances,
Figure DEST_PATH_IMAGE003
evaluating an index for the access behavior;
Figure 360982DEST_PATH_IMAGE004
the number of the accesses is the number of the accesses;
Figure DEST_PATH_IMAGE005
an ith access duration; tanh () is a hyperbolic tangent function;
Figure 818508DEST_PATH_IMAGE006
the fluctuation degree of the uplink flow sequence;
Figure DEST_PATH_IMAGE007
is a first adjustment parameter;
analyzing each target IP based on the total uplink flow to obtain a flow distribution score and a distribution probability of each target IP, wherein the flow distribution score and the distribution probability are as follows: performing cold and hot point analysis on each target IP based on the total uplink flow of each target IP to obtain a flow distribution score and a distribution probability of each target IP;
the method for acquiring the difference coefficient comprises the following steps: acquiring a median value in the connection number sequence; subtracting one from the ratio of the number of connections corresponding to the target IP and the median value to obtain an initial difference value; taking the product of the absolute value of the initial difference value and a second adjusting parameter as a second difference value; taking ten as a base number, and taking an exponential function with the second difference value as an index as a difference coefficient corresponding to the target IP;
the method for acquiring the network anomaly evaluation of the target IP comprises the following steps: the calculation formula of the network anomaly evaluation is as follows:
Figure DEST_PATH_IMAGE009
wherein, the first and the second end of the pipe are connected with each other,
Figure 491935DEST_PATH_IMAGE010
evaluating the network anomaly;
Figure DEST_PATH_IMAGE011
is a maximum function;
Figure 579977DEST_PATH_IMAGE012
is a sign function;
Figure DEST_PATH_IMAGE013
is a hyperbolic tangent function;
Figure 909327DEST_PATH_IMAGE014
is a mean function;
Figure DEST_PATH_IMAGE015
real-time uplink traffic;
Figure 436123DEST_PATH_IMAGE016
the flow is a preset standard uplink flow;
Figure 636161DEST_PATH_IMAGE007
is a first adjustment parameter;
Figure DEST_PATH_IMAGE017
is a third adjustment parameter;
Figure 691841DEST_PATH_IMAGE018
a first access duration;
Figure DEST_PATH_IMAGE019
a standard first segment of access duration;
the method for acquiring the maximum connection number of the target IP comprises the following steps: acquiring the historical maximum connection number corresponding to the target IP; taking a natural constant as a base number, taking the negative behavior forgiveness coefficient as an index function of an index, multiplying the access behavior evaluation index to obtain a first weight, wherein the sum of the first weight and one is a second weight, and multiplying the reciprocal of the second weight and the historical maximum connection number to obtain a first connection number; multiplying the preset adjusting parameter by the historical maximum connection number to obtain a second connection number; acquiring a smaller numerical value of the first connection number and the second connection number as a maximum connection number of a target IP;
the method for acquiring the maximum uplink flow of the target IP comprises the following steps: presetting the difference between the standard uplink flow and the real-time uplink flow as a fluctuation difference value; taking a natural constant as a base, taking the negative behavior forgiveness coefficient as an index function of an index, and multiplying the fluctuation difference value to obtain an adjusted uplink flow; and the sum of the real-time uplink flow and the adjusted uplink flow is the maximum uplink flow of the target IP.
CN202210784685.8A 2022-07-06 2022-07-06 Network security situation perception method based on artificial intelligence Active CN114884749B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210784685.8A CN114884749B (en) 2022-07-06 2022-07-06 Network security situation perception method based on artificial intelligence

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210784685.8A CN114884749B (en) 2022-07-06 2022-07-06 Network security situation perception method based on artificial intelligence

Publications (2)

Publication Number Publication Date
CN114884749A CN114884749A (en) 2022-08-09
CN114884749B true CN114884749B (en) 2022-09-16

Family

ID=82682775

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210784685.8A Active CN114884749B (en) 2022-07-06 2022-07-06 Network security situation perception method based on artificial intelligence

Country Status (1)

Country Link
CN (1) CN114884749B (en)

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR102045468B1 (en) * 2015-07-27 2019-11-15 한국전자통신연구원 Apparatus for detection of anomalous connection behavior based on network data analytics and method using the same
CN110881034A (en) * 2019-11-11 2020-03-13 重庆工业职业技术学院 Computer network security system based on virtualization technology
CN111181932B (en) * 2019-12-18 2022-09-27 广东省新一代通信与网络创新研究院 DDOS attack detection and defense method, device, terminal equipment and storage medium
CN112351012A (en) * 2020-10-28 2021-02-09 杭州安恒信息技术股份有限公司 Network security protection method, device and system
CN114531681A (en) * 2020-10-30 2022-05-24 华为技术有限公司 Abnormal terminal control method and device
CN113079143A (en) * 2021-03-24 2021-07-06 北京锐驰信安技术有限公司 Flow data-based anomaly detection method and system
US11425152B2 (en) * 2021-05-11 2022-08-23 Asna Suhail Zaman Physical and network security system and mehtods

Also Published As

Publication number Publication date
CN114884749A (en) 2022-08-09

Similar Documents

Publication Publication Date Title
US10455013B2 (en) Peer-to-peer upload scheduling
US8130655B2 (en) Systems and methods for network congestion management using radio access network congestion indicators
Tan et al. An empirical study on the capacity and performance of 3g networks
WO2018161447A1 (en) Protection method and system for cdn client source station
CN104348647B (en) Multi-source bandwidth scheduling method, apparatus and system
US8537709B2 (en) Network device, and multi-wide area network interface selection module and method
US20140169192A1 (en) System and Method for Estimating an Effective Bandwidth
CN110708256B (en) CDN scheduling method, CDN scheduling device, network equipment and storage medium
US20040032828A1 (en) Service management in cellular networks
CN109257293A (en) A kind of method for limiting speed, device and gateway server for network congestion
US20110153828A1 (en) Load balancing apparatus and method for regulating load using the same
CN110855564B (en) Intelligent routing path selection method, device and equipment and readable storage medium
WO2023005701A1 (en) Data communication method and apparatus, electronic device, and storage medium
CN110855741B (en) Service self-adaptive access method and device, storage medium and electronic device
CN101917406B (en) Data transmission method and data transmission system
Piamrat et al. QoE-based network selection for multimedia users in IEEE 802.11 wireless networks
CN114884749B (en) Network security situation perception method based on artificial intelligence
CN113840330A (en) Method for establishing connection, gateway equipment, network system and scheduling center
Pang et al. When data sponsoring meets edge caching: A game-theoretic analysis
CN111278039B (en) User perception suppression identification method, device, equipment and medium
CN112003921B (en) Method for actively caching and replacing hot data in edge computing environment
CN106686034B (en) CDN scheduling enhancement method, device and system
CN114845338A (en) Random back-off method for user access
CN106357798A (en) Method for storing and acquiring media files in Portal page, cloud controller and terminal
CN111935781A (en) Control method of data sharing network, network system and related device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
PE01 Entry into force of the registration of the contract for pledge of patent right
PE01 Entry into force of the registration of the contract for pledge of patent right

Denomination of invention: A Method of Network Security Situation Awareness Based on Artificial Intelligence

Effective date of registration: 20221207

Granted publication date: 20220916

Pledgee: China Postal Savings Bank Limited by Share Ltd. Wenshang County sub branch

Pledgor: Zhilian Xintong Technology Co.,Ltd.

Registration number: Y2022980025489